Bug 1484978 – CVE-2015-5081 Django: CSRF around publishing of draft changes

Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.

Bug 1484978 - (CVE-2015-5081) CVE-2015-5081 Django: CSRF around publishing of draft changes

Summary:	CVE-2015-5081 Django: CSRF around publishing of draft changes

Status:	NEW

Aliases:	CVE-2015-5081

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	medium Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=moderate,public=20170824,repor...
Keywords:	Security

Depends On:	1484979 1484980 1484981
Blocks:
	Show dependency tree / graph

Reported:	2017-08-24 14:15 EDT by Pedro Sampaio
Modified:	2018-06-29 18:27 EDT (History)
CC List:	27 users (show)

See Also:
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Pedro Sampaio 2017-08-24 14:15:09 EDT

CSRF issue around publishing of draft changes in Django CMS. 
Versions affected are Django CMS <3.0.14 and <3.1.1.

Upstream patch:

https://github.com/divio/django-cms/commit/f77cbc607d6e2a62e63287d37ad320109a2cc78a

References:

http://www.openwall.com/lists/oss-security/2015/06/27/1
https://www.django-cms.org/en/blog/2015/06/27/311-3014-release/

Comment 1 Pedro Sampaio 2017-08-24 14:17:55 EDT

Created Django14 tracking bugs for this issue:

Affects: epel-6 [bug 1484981]


Created python-django tracking bugs for this issue:

Affects: epel-7 [bug 1484979]
Affects: fedora-all [bug 1484980]

Comment 2 Matthias Runge 2017-08-25 05:57:29 EDT

I may be wrong, you filed a bug against python-django, which is the framework. The CVE is for python-django-cms, which is a different software.

As far as I can see, there is no python-django-cms in Fedora or EPEL.

Note You need to log in before you can comment on or make changes to this bug.

apevec
bkabrda
bkearney
cbillett
chrisw
jakub.dornak
jal233
jjoyce
jschluet
kbasil
lhh
lpeer
markmc
mburns
mhroncok
michel
mrunge
rbryant
rhos-maint
sclewis
sgallagh
sisharma
slinaber
smooge
srevivo
tdecacqu
tomckay